New VENOM Phishing Attacks Steal Senior Executives' Microsoft Logins

The emergence of phishing‑as‑a‑service platforms like VENOM reflects a troubling shift toward commoditized, high‑stakes cyber‑crime. By masquerading as Microsoft SharePoint notifications, the campaign lures CEOs, CFOs and other VPs into scanning QR codes that direct only genuine targets to a credential‑harvesting portal. The use of double‑Base64‑encoded email fragments hidden in URL fragments further obscures the victim’s identity from traditional web filters and reputation services, allowing the operation to remain under the radar of most security teams.

VENOM’s technical arsenal combines an adversary‑in‑the‑middle (AiTM) login proxy with a device‑code flow that tricks users into authorizing a rogue device. Both methods capture the full authentication token, rendering one‑time passwords and standard multi‑factor authentication ineffective. By registering a new device or extracting a persistent token, attackers gain long‑term access to Office 365 environments, email, Teams, and other SaaS tools, dramatically expanding the potential impact of a single compromised executive account.

For organizations, the takeaway is clear: legacy MFA alone no longer safeguards privileged accounts. Security leaders should mandate hardware‑based FIDO2 authenticators for C‑suite users, disable the Azure device‑code flow where unnecessary, and enforce conditional access policies that scrutinize anomalous sign‑in locations and device registrations. Continuous monitoring for token abuse, combined with rapid incident response playbooks, will help mitigate the risk posed by sophisticated PhaaS operations like VENOM.